OpenId + remember me / staying logged in

Question

I have a question as to how / what the best approaches are to using OpenId and also providing the ability to stay logged in.

If i look at Stackoverflow for example i hav

Answer 1

OpenID is still pretty new and several relying parties are trying out new and different ways to implement OpenID. There is a work in progress best practices document for relying parties hosted by the OpenID foundation. In particular, they address the question of cookies and session lengths in their last section. Definitely an interesting idea to use persistent claimed_id cookies rather than persistent session cookies in order to make the user's life easier -- they only have to log out of their OP and close the browser.

Personally I find the behavior you're describing on StackOverflow pretty natural. If OpenID were out of the picture and you were logged into a username/password web site on two different computers with a persistent cookie (a very common scenario), and you changed your password on one, I wouldn't be surprised if the other computer still had me logged in. You could call that a security hole, but it's still normal practice. So normal in fact that Gmail recently added a display at the bottom of your Inbox screen that tells you where else you're logged in and gives you the opportunity to invalidate their session cookie.

I would suggest that a similar approach could be taken by any RP, regardless of the authentication method. And that would probably mitigate the security concern you have.

Answer 2

Stack overflow probably uses a cookie to remember you as user number xyz or session id 1234. After authentication, OpenID has nothing at all to do with the session anymore. SO doesn't have the ability to see if you are still logged in to Google so this seems only natural.